We’re looking into enabling PowerShell Transcription Logging for all our workstations and servers but need a place to direct the logs to protect them against deletion/access and to facilitate searching in case of an incident. Is there a way to simply throw the logs at InsightIDR?
I’m reading online that some companies save the logs to a secure folder on a file server but I would prefer to have InsightIDR have eyes on it.
Thanks in advance…
If you do the method of saving the logs to a folder you could set it as a shared directory and then use watch directory or tail file for IDR to pull them. Alternatively depending on the setup up saving the logs if you have the option to simply syslog them then you can just send them to the collector on a specific port.
These would both be set up as custom logs in IDR
@nomenal after you configure the GPO with a destination folder where all transcription text file logs will be sent, you can setup a custom rapid7 event source with watch directory as the collection method. One thing I’ve noticed is the default format of those transcription logs can mess up the log ingestion so that each text file might come through as multiple IDR logs which can make querying very difficult. If you have the paid version of NXLog there is an available parser that works well, but that parser is not supported in the community edition (free one) of NXLog.
I’ve set up and supported transcription logging enterprise-wide. It writes all stdin and stout to a file share, so depending on what’s executing on a given machine, there can be a LOT of output. Obviously that doesn’t parse easily. Even when it’s a small amount of text, it’s not structured. On the plus side it does organize the text files nicely, with directories based on host name and date. So, I don’t think there’s much value in using IDR to search through the Powershell logs. It’s definitely good to save them, to support investigations, but a file share is probably your best bet.